Support reading secrets in K8s agent manifest

[mukeshelastic]

Beats on K8s were able to read sensitive data like credentials from secrets to prevent these credentials or any other sensitive data in plain text in the config files. We need to provide similar experience on agent. For example, users can create secrets on command line and then refer it in yaml files from k8s secrets store.

cloud_id=test-cloud-id
cloud_auth=testusername:test-cloud-id-password
kubectl create secret generic cloud-secret --from-literal=cloud-id=test-cloud-id --from-literal=cloud-auth=testusername:test-cloud-id-password

  valueFrom:
        secretKeyRef:
          name: cloud-secret
          key: cloud-id

We need the agent manifest support reading from K8s secrets.

[elasticmachine]

Pinging @elastic/agent (Team:Agent)

[ph]

@blakerouse I believe our original intention was to add support for secrets inside the provider in this case k8s? So a user could reference a value our tags ${...} and the provider will resolve the values. Does it need special handling in the framework?

[blakerouse]

I think the original idea was to add a single secret context provider. This provider would have different backends, with multiple supported at the same time. I would think we could start with a single backend of K8s at first, because that has the biggest use-case at the moment.

With this backend it would allow the value of the secret to be exposed as a variable in the dynamic inputs composer.

Using the secret that @mukeshelastic created in the description of the issue, it could be reference in the configuration with simply: ${secret.kubernetes.cloud-secret.cloud-id}.

Adding an extra provider backend would just scope secret variable in that named backend. Example below with 2 providers, below (not that we need to start with 2):

providers:
  secret:
    backends:
      - type: kubernetes
      - type: keystore
        path: '~/keystore.store`

Then either could be referenced with ${secret.kubernetes.cloud-secret.cloud-id} and ${secret.keystore.cloud-id}. Adding it all together with order of usage ${secret.kubernetes.cloud-secret.cloud-id|secret.keystore.cloud-id}.

Now to enable this we need to add a little more to context providers. At the moment it is expected that the context provider push all keys to the composer, for secrets I would expect it to only provide values to keys that are referenced. So a little more needs to be added to the ContextProvider interface. Adding more to and possible in the ContextProvider is for the Elastic Agent to watch for changes in values of referenced keys so those changes could automatically trigger a re-generation of configuration.

[ph]

I've touched briefly with @ruflin on this and after talking to him, I am not sure we actually need a "Secret Provider" that supporting multiple backend and having to deal with resolution priority, but we could instead have dedicated providers.

providers:
  kubernetes_secrets: ~
  file_secrets: 
   path: '~/tmp/keystore.store'

Something like "kubernetes_secrets" or "file_secrets" and user could reference them directly like "${kubernetes_secrets.cloud-secret.cloud-id}". Also some of these provider could add subcommands to our CLI, this is a requirement for current libbeat keystore ("add", "list", remove).

I am not totally against the backend strategy, but I am not sure if this is a real use case to have multiple backend at the same time. @mukeshelastic can we get your inputs to align the technical implement?

[ph]

So a little more needs to be added to the ContextProvider interface. Adding more to and possible in the ContextProvider is for the Elastic Agent to watch for changes in values of referenced keys so those changes could automatically trigger a re-generation of configuration.

@blakerouse is that a supported mechanism for k8s, ie does k8s sent a notification or we would have to an internal watchdog for the values?

[mukeshelastic]

I think the original idea was to add a single secret context provider. This provider would have different backends, with multiple supported at the same time. I would think we could start with a single backend of K8s at first, because that has the biggest use-case at the moment.

I am in support for getting this working with single K8s backend and then expanding to additional backend when required. So just restating what @blakerouse mentioned as a way to read this secret in config files ${secret.kubernetes.cloud-secret.cloud-id} is a good first step.

[blakerouse]

I've touched briefly with @ruflin on this and after talking to him, I am not sure we actually need a "Secret Provider" that supporting multiple backend and having to deal with resolution priority, but we could instead have dedicated providers.

providers:
  kubernetes_secrets: ~
  file_secrets: 
   path: '~/tmp/keystore.store'

Something like "kubernetes_secrets" or "file_secrets" and user could reference them directly like "${kubernetes_secrets.cloud-secret.cloud-id}". Also some of these provider could add subcommands to our CLI, this is a requirement for current libbeat keystore ("add", "list", remove).

I am not totally against the backend strategy, but I am not sure if this is a real use case to have multiple backend at the same time. @mukeshelastic can we get your inputs to align the technical implement?

We could also go with the what you described, I just liked the cleanness of secrets.*. Going with what you described would be easier to implement and would keep the flat namespace.

[blakerouse]

So a little more needs to be added to the ContextProvider interface. Adding more to and possible in the ContextProvider is for the Elastic Agent to watch for changes in values of referenced keys so those changes could automatically trigger a re-generation of configuration.

@blakerouse is that a supported mechanism for k8s, ie does k8s sent a notification or we would have to an internal watchdog for the values?

I believe there to be a way to watch for changes in secrets, but would need to fully confirm. I believe watching changes for any resource is generic.

[ruflin]

As ph mentioned, I prefer a separate provider for each secret "type". Like this we have just one implementation. I understand that from a usability perspective the secret.* is nice. Maybe we can get almost there by calling the providers secret_kubernetes etc? Every secret provider should have the secret_* prefix`.

An other solution (but not sure if intuitive for users) is that inside a provider the prefix can be specified or even have a different default from the name itself.

providers:
  kubernetes_secrets: ~
  prefix: kubernetes.secret

The nice part about the above is that all data coming from k8s has the same prefix, but now it is not unique anymore which is problematic.

I think my favorite solution at the moment is to just use kubernetes_secret to have a similar prefix to kubernetes provider.

[ph]

@ChrsMark would be nice to have your opinion on this.

[ChrsMark]

Both ways ("flat" one and "backend-based" one) look good to me. It was useful in Beats to implement different keystore backends but now I understand that the variable resolution happens based on the relationship between the dynamic-inputs and the provider.

+1 for the "flat" one since its looks more straightforward.

Also we should keep in mind that enabling dynamic inputs to retrieve a Kubernetes secret, through kubernetes_secrets means that kubernetes_secrets provider will make an API call to k8s api to retrieve the secret's value on resolution time. To achieve this we need to add secrets k8s resource to the elastic-agent's ClusterRole and we should be careful about this to ensure we don't expose Secrets k8s api (through agent) to malicious users.

[ChrsMark]

Posting a use case here as a complete example (feel free to comment/edit):

- name: redis
  type: redis/metrics
  use_output: default
  meta:
    package:
      name: redis
      version: 0.3.6
  data_stream:
    namespace: default
  streams:
    - data_stream:
        dataset: redis.info
        type: metrics
      metricsets:
        - info
      hosts:
        - '${kubernetes.pod.ip}:6379'
      username: '${kubernetes_secrets.default.redisPass.value}'
      idle_timeout: 20s
      maxconn: 10
      network: tcp
      period: 10s
      condition: ${kubernetes.pod.labels.app} == 'redis'

Users can refer a Kubernetes Secret with the following pattern:

${kubernetes_secrets.<namespace>.<secret_name>.<value>}
For instance, ${kubernetes_secrets.default.redisPass.value} where kubernetes_secrets.default.redisPass.value specifies a key stored as a Kubernetes secret with the following:

Kubernetes Namespace: default
Secret Name: redisPass
Secret Data Key: value

[ph]

@chrsblck looking at kubernetes_secrets.default.redisPass.value is the value part necessary, is there something else that value that could be retrieved for the redisPass key?